Sunday, March 20, 2016

Content Filtering Techniques on Palo Alto Firewall

Content filtering techniques on Palo Alto firewall


1. URL filtering

URL filtering allows you to block web browsing based on URL category.

For example, you could block these categories available on Palo Alto - abused drugs, alcohol and tobacco, phishing, peer to peer.

Palo Alto also allows you to check URL category for a particular website.
'Check URL category' feature on Palo Alto firewall will redirect the user to a website where URL category can easily be determined.

You can also create a custom URL category and specify websites here in the URL category.
The URL category can then be controlled using actions like alert, allow, block, continue, override.

More on the actions is here

Response pages is something where the user would see a particular HTML page.
And this page would notify the user that URL is not allowed as per the internal company policy.


2. Application based filtering
Palo Alto firewalls have the App ID feature.
This essentially allows users to block applications like dropbox, skype very easliy.

So when you configure the security policy on Palo Alto, you specify the application type in addition to other parameters like

a. Source zone
b. Source user
c. Source IP
d. Destination zone
e. Destination IP
f. Application - YOU SPECIFY THE APP HERE
g. LEAVE SERVICE TO APPLICATION DEFAULT
h. URL category
i. Action
j. Security Profiles


3. File blocking
Here you could block upload/download of specific file types like .exe, .pdf, .rar
And these file types could be blocked for specific applications like gmail.
Several actions are available namely:
a. Alert
b. Block
c. Continue
d. Forward
e. Continue and Forward

You may find more on these different actions here


Thursday, March 17, 2016

Palo Alto - x forwarded for feature

Enterprise internet set ups incorporate systems like Proxy Servers.
Such systems help cache internet data and eventually save a lot of internet bandwidth and cost.

What do proxy servers additionally do?

a. Source NAT (SNAT) client IPs and source internet traffic from itself.
Here you are hiding/masking client IP address. Such mechanism prevents client IP addresses from being spoofed.
To sum this up, when IP packet passes through a proxy server, source IP field of the IP packet is modified and source is changed to be IP address of proxy server.

b. Along with this, the proxy server will add “x-forwarded-for” in the http GET request from the client and client IP address to this field.
So the original client IP information is retained in the IP packet using x-forwarded-for field.

Picture this now, your internet destined traffic coming out of the proxy server now flows through Palo Alto firewall deployed in transparent mode.

And the traffic flow is something like this

Client system - Proxy Server - Palo Alto firewall (transparent mode) - Internet Router - Internet Cloud.

And the return traffic will be
Internet Cloud - Internet router - Palo Alto firewall (transparent mode) - Proxy server - Client system

Now with a proper Security Incident & Event Management (SIEM) solution in place, traffic flowing through Palo Alto firewalls could now be logged.
And the x-forwarded-for option will reveal the actual client IP on the logging system.

The x forwarded for feature on Palo Alto is covererd here:


https://live.paloaltonetworks.com/t5/Learning-Articles/X-FORWARDED-FOR-Feature-in-PAN-OS-6-1/ta-p/53879


Saturday, March 12, 2016

Usage of failover exec mate command in Cisco ASA

So, recently I came across this situation  where I had to check the TACACS shared secret on standby ASA without directly logging into it.
Reason being that the standby firewall just wouldn't let me log in directly.
Standby unit was earlier integrated with the AAA server.
My efforts of firstly removing the standby device from AAA server failed.
AAA server was throwing logs which suggested mismatching TACACS shared secret.

Cisco ASA has this handy command which you can execute from the primary ASA to get output from standby unit.
On the active unit, you can execute commands like

failover exec mate show run


You may log the session output to a file and check/verify your TACACS key provided it is not encrypted.